security

Old Passwords Are Dangerous Passwords

Passwords are the combination to the safe containing all your secrets. But they are easier to guess – or steal.

In the high speed world of computers, 30 days is old. Did you read about the Russian hackers stealing 1.2 billion passwords? That means chances are fairly good they got some of yours. This also means it’s time to change passwords. Yes, it’s a pain to constantly change passwords, but it may also save your bank account, your credit rating, your business, and even your criminal future. Yes, you may become a victim of identity theft which could result in your arrest for criminal activity. It happens, and it happened to Tallie Gainer in Tampa on August 1:

Tallie Gainer III became a victim of identity theft. Adding insult to injury, police arrested him in front of his children, and he was charged with check fraud, even though he had earlier reported his wallet, identification and credit cards stolen. From http://www.totalcriminaldefense.com/news/articles/unusual/identity-theft/

While password keepers may provide a way to store all of your passwords in one location so you don’t forget them – they also store all of your passwords in one location which, if compromised, would give the hacker all of your passwords. So what’s the work around? Use long phrase passwords with numbers and punctuation. An example may be:

MyBirthday01JAN1970+GotMarried15APR1990!

Of course you think this is ridiculous. I doubt you also think it’s ridiculous to change clothes every day, change toothbrushes every month, and change the oil in your vehicles every 3 months or 3000 miles. But, you do it. Why? To protect your self and your vehicles. Digital compromise now is simply a part of modern life – a part of modern life that is constantly under assault from people who would love for everyone to let their guard down. Change your passwords regularly; Every month is highly recommended. Or, leave it to chance and see if it works out okay for you…

We talk about “EDC” (Every Day Carry) so let’s talk about “EDCD” (Every Day Cyber Defense)

1. Use a different password for every site 2. Install updates on your Mac, Linux or Windows system regularly 3. Keep your browsers up to date on all systems including mobile 4. Use HTTPS Everywhere (it’s a browser extension) to connect to websites 5. Keep your Anti-Virus and other security applications up to date and scheduled to run 6. Install and use MalwareBytes or a similar application to supplement your A/V 7. Turn your device off when not in use (any connected device is a target while running) 8. Learn how to handle emails with attachments even from friends 9. Learn what to do when you encounter a security warning online (site certificates) 10. When in doubt, Google it or phone a friend (better to be embarrassed than compromised)

Here’s one extra tip: using different passwords for every site is challenging. So, use part of the name of the site somewhere in the password. Using the same example from above try this:

It happens. It happens to almost everyone at some point. Usually the bigger the target and the higher the reward the more likely you are to be hacked. Or, if you are hosting on a community site which serves large numbers of people. It also happens to sites with very little traffic but low site security including old widgets which may be running on the site.

Last week my friend Danny Brown had his Facebook page hijacked and there was a lot of buzz about that in the social sphere but that’s not what I’m writing about today. In Danny’s case someone, someone he knew obviously, guessed his Facebook login and proceeded to have their way. What I am writing about today is the anonymous hacker who uses your platform to launch their attack. That attach may be a vicious attack or simply spam. Either way it’s bad for you and bad for all netizens.

When you think of hackers in this case don’t think of some pimple faced post-teen cowarded in his parent’s basement surrounded by pizza boxes and Dr. Pepper cans. In this case think about sophisticated programmers who have written automated scripts to dig for vulnerabilities and seize on them automatically when found. There is no human involvement other than turning on the application and letting it do it’s work. The target? Installations of big scripts like WordPress or Joomla with outdated plugins, themes and widgets which provide an easy hole to walk right in and take over.

What is a URL redirect hack?

The most common attack these days are URL redirects where the script finds the vulnerability and leverages that to re-write something called the .htaccess file. This file tells the browser of any visitor, human or bot, how they can interact with the server. It contains directives about the site including where clicks are directed to and how quickly. It’s very simple to write a replacement .htaccess file if you have access to the server which can be gained by finding a plugin which opens the file for writing. So happened, and is still happening, with a particular version of the timthumb.php script which is widely used in hundreds if not thousands of themes and plugins.

How do I know if I’ve been hacked?

Example of Google results on a hacked site.

If you have any level of readership they will probably tell you. If not there are a few things you can do to check. First you can go to your site and click on a link. If you end up on a squeeze page selling drugs to help you get it on or get a bigger unit you’re hacked. Unless you are a reseller for such stuff that is. You can also search Google for your site and if you have links to those types of pages show up … you’re contaminated. You can also use the free scanner at Sucuri.net which also is a company which can help clean your site and protect you.

How do I prevent my site from being hacked?

You can’t completely. You can, however, take precautions to make it much less likely. One thing you can do is hire a professional to check your site and see if there are any open vulnerabilities. You can also make sure any installed web applications are up-to-date and compliant. Let’s face it, if you downloaded and installed a script from a Russian file sharing site you just opened the door wide without any need for a hacker. On the other hand if you’re just a casual small business website owner there really are “people out to get you”.

Have you ever logged in to Twitter to see that you have been posting, mentioning people or maybe even sending instant messages to people but you haven’t been near your account for hours? It happens. When it does, provided you haven’t given some rogue programmer or site master your login information, you can control access to your account. There are several legitimate applications who ask for permission to access your account for varying reasons. Seesmic, for example, needs to be able to login as you, post as you and send instant messages as you. Paper.li needs to be able to read as you to work and wants to post as you so it can spam all of the people it copied when it posted.

You can turn off access to your Twitter account to any application using the Twitter API by following some very, VERY simple steps. Watch this short video on YouTube for a quick walk-through showing exactly how to do this.